sftpgo: update to 2.7.1
New features
SFTPD: Added support for OpenPubkey SSH, enabling tighter integration between OpenID Connect and SFTP.
Bug fixes
Enforced password validation rules also when applied through a group.
Fixed an issue where JSON dumps containing command actions failed to load correctly at startup when loaded as initial data.
Data Provider: Fixed lock handling issues during migrations that could affect MySQL when migrations are executed concurrently by multiple instances.
Security fixes
Fixed a potential path traversal and permission bypass involving specially crafted paths. CVE-2026-30914.
Fixed placeholder sanitization in group home directories and key prefixes. CVE-2026-30915.
Backward incompatible changes
Unified path handling: Prior to this release, the backslash character (\) was treated differently depending on the host operating system: on Linux, it was considered a standard character within a file or directory name, while on Windows, it acted as a path separator. We have now unified path handling across all platforms. Moving forward, both forward slashes (/) and backslashes (\) are strictly evaluated as path separators, independently of the underlying OS.
firefox140: update to 140.9.1
Mozilla Foundation Security Advisory 2026-27
Security Vulnerabilities fixed in Firefox ESR 140.9.1
Announced
April 7, 2026
Impact
high
Products
Firefox ESR
Fixed in
Firefox ESR 140.9.1
#CVE-2026-5732: Incorrect boundary conditions, integer overflow in the Graphics: Text component
Reporter
Sajeeb Lohani
[34 lines not shown]
wm/herbstluftwm: update to 0.9.6
Release 0.9.6 on 2026-04-03
- New herbstclient mode --binary-pipe which allows to send multiple commands through a single herbstclient instance.
- CSS-inspired theme engine (new attributes theme.name, theme.style_override)
- New client attribute sticky (does not react yet to EWMH requests)
- New option if_multiple_empty for settings.show_frame_decorations that only shows the frame decorations on a tag with multiple frames and no client windows.
- The setting smart_window_surroundings has been changed to accept the following new values: off, one_window (equivalently on), and one_window_and_frame. Setting it to one_window_and_frame will only hide window surroundings when there is only one window and one frame in a tag, one_window and off mirror the old behaviour with regards to true and false.
- New monitors.tag_selection_strategy attribute, which can be used to customize how tags are assigned to new monitors. The default any_unshown picks the first available (not yet shown) tag, which is the same behavior as previous releases. only_empty makes sure only empty tags are picked for new monitors, while prefer_empty prefers empty tags but falls back to any unshown tag if none are empty.
- New support for extra mouse buttons (up to 9). These values are hard-coded, but upstream X.h also uses hardcoded values, so potential for breakage should be minimal.
- Bug fix: Only redraw after new WM_NORMAL_HINTS if it would affect the clients geometry.
- New options to rule consequence floatplacement which allow placement of floating clients into monitor corners; topleft, topright, bottomleft, bottomright
textproc/xan: update to 0.57.0
The temporal update.
Breaking
xan select -n will not error anymore on empty inputs and, generally, empty files should not trigger selection errors when using commands with -n/--no-headers.
xan heatmap -C/--cram becomes a flag accepting either auto, always or never.
Dropping -C short flag for xan sort --cells (it could be confused with --columns or --check).
Completely overhauled how datetimes work in moonblade.
xan separate will not trim splitted values with some modes by default anymore.
Dropping xan network --stats in favor of -f stats.
-D becomes short flag for xan network --degrees instead of --disjoint-keys.
xan separate --capture-groups is dropped in favor of -c/--captures & -C/--all-captures.
Renaming xan search --breakdown shortflag to -b to allow for future -B/--before-context.
Features
Adding xan matrix count & xan matrix adj.
[43 lines not shown]
editors/tp-note: update to 1.25.20
Update dependencies
This release ships Wayland support as a new feature of the `clipboard-rs` crate
v0.3.4 which allows dropping our own Wayland code in `tpnote/src/clipboard.rs`.